Bug 427088

Summary: SELinux prevents OpenVPN Connections on Port 443
Product: [Fedora] Fedora Reporter: Carsten Clasohm <clasohm>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 8CC: jonstanley
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
AVC denied messages
none
policy generated with audit2allow none

Description Carsten Clasohm 2007-12-31 10:58:30 UTC 
Description of problem:

OpenVPN servers sometimes listen on port 443, to allow clients to connect
through an HTTP proxy. The targeted SELinux policy in Fedora 8 prevents the
OpenVPN client to connect to this port.

SELinux also prevents the client from running an "up" script placed in /etc/openvpn.

Version-Release number of selected component (if applicable):

openvpn-2.1-0.19.rc4.fc7
selinux-policy-targeted-3.0.8-69.fc8

How reproducible:

always

Steps to Reproduce:
1. Set up an OpenVPN server listening on port 443.
2. Configure your OpenVPN client on F8 to access this server.
3. Add the following in /etc/openvpn/client.conf:

up /etc/openvpn/up.sh

4. Create the up.sh script, for example to do routing configuration.

Actual results:

No OpenVPN connection is established.

Expected results:

The client should be able to connect to port 443.

Additional info:

I'll attach the AVC denied messages, and a SELinux module generated with
audit2allow which fixes the two problems.
Comment 1 Carsten Clasohm 2007-12-31 10:58:30 UTC 
Created attachment 290570 [details]
AVC denied messages
Comment 2 Carsten Clasohm 2007-12-31 10:59:20 UTC 
Created attachment 290571 [details]
policy generated with audit2allow
Comment 3 Jon Stanley 2008-01-07 23:47:37 UTC 
Hello -

This bug was filed against an incorrect component.  Reassigning to selinux-policy.
Comment 4 Daniel Walsh 2008-01-08 17:11:12 UTC 
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-74.fc8
Comment 5 Daniel Walsh 2008-03-05 22:17:11 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.